Support 110 years of independent journalism.

Software is becoming more interdependent, and that’s a big security problem

Recent incidents have highlighted the risks of relying on a growing ecosystem of third-party software packages.

By Nicu Calcea

On 16 March, 20 days after Russia invaded Ukraine, users of the Vue.js development framework were panicking. Vue is a set of tools that makes it easier for developers to build interfaces for websites and web applications, including at companies like Facebook, Netflix and Nintendo. According to BuiltWith, it powers 19.8 per cent of the world’s biggest 10,000 websites.

So, what does a popular programming tool have in common with the war in Ukraine? Under the hood, Vue, like all tools of its kind, relies on a bundle of other software packages that it automatically downloads. Software packages make it easier for programmers to add functionality to their applications without having to code it from scratch.

In this case, Vue included a dependency on a package called “node-ipc”, whose developer decided to add a small amount of code that would create a text file containing anti-war messages on the desktops of those who use it. But if the package was installed on a device with a Russian or Belarussian IP address, it would also start wiping files from the device and replacing them with a heart emoji.

This was not the first incident of its kind. Earlier this year, the developer of two other popular packages sabotaged them by modifying them to produce gibberish text instead of their expected output.

These incidents show how software developers rely on an increasingly large ecosystem of third-party packages. While these packages can greatly simplify and speed up development, they also have wide security implications.

Select and enter your email address Your weekly guide to the best writing on ideas, politics, books and culture every Saturday - from the New Statesman. The New Statesman's quick and essential guide to the news and politics of the day. Stay up to date with NS events, subscription offers & updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

A 2018 study of npm – a package manager that is the biggest and most used repository of third-party packages for JavaScript developers – found that, in 2018, the average package would automatically install an additional three packages in order for that software to function. These additional packages, in turn, would install even more packages. On average, the final total for installing just one package was some 80 packages from 40 developers. That number has likely grown since then.

Content from our partners
Why collaboration is the key to growth
How AI can help unleash employee potential
How Registers of Scotland modernised the world’s oldest land register

As the study’s researchers note, this creates huge security concerns, as malicious code in one package could affect thousands of others. Just 20 developers (out of more than 150,000) are needed to compromise half of the ecosystem.

While the npm ecosystem is notorious for its complexity and inter-connectedness, other programming languages are facing similar issues.

To mitigate these security issues, the researchers suggest introducing vetting processes for developers who are in charge of maintaining and updating packages, validating their identity and helping them understand security principles. Whatever the outcome, these kinds of attacks are likely to increase as software becomes more interdependent.

Topics in this article : , ,